Risk Assessment Process

posted in: Compliance, SEC Examinations | 0
Dear Compliance Professional,
As part of the examination process, the SEC meets with senior management to discuss how each advisory firm identifies and mitigates conflicts of interest and legal, compliance, financial, and operational risks. This initiative is designed to: (i) evaluate firms’ control environment and “tone at the top,” (ii) understand firms’ approach to conflict and risk management, and (iii) initiate a dialogue on key risks and regulatory requirements.
Given the SEC’s priorities, we thought a refresher course on the risk assessment process was in order. You can also click here to access the frequently asked questions pertaining to risk assessment on our Web site.

Investment advisers are required to evaluate how their advisory activities, arrangements, affiliations, client base, service providers, conflicts of interest and other business factors may cause violations of the Investment Advisers Act.  The results of this risk assessment should serve as the basis for drafting and revising compliance policies and procedures that are designed to mitigate, manage and control each risk area in ways that reflect advisory firm’s resources and need for assurance that violations can be prevented or, if violations occur, that such violations will be detected promptly and corrected.

A risk assessment involves identifying and prioritizing issues pertaining to an investment adviser’s operations that may create risk to the interests of the advisory firm and/or its clients. Accordingly, investment advisors need to (1) identify areas of risk that may be part of their advisory firm’s everyday operations; (2) assess whether the controls in place managing or mitigating these risks are adequate; and (3) make modifications to their advisory firm’s compliance policies and procedures as necessary.

Types of Risk

An adviser should consider the following types of risk as potentially harmful to the interests of the advisory firm and its clients.

Operational Risk

Operational risk arises from the potential that inadequate information systems, operations systems, transaction processing will result in unforeseen losses.

Compliance Risk

Compliance risk arises from the possibility that a breach of internal policies or procedures, laws, rules, regulations or ethical standards may impact negatively or disrupt firm operations or condition.

Financial Risk

Financial risk is the risk that the advisory firm may be unable to meet its financial obligations.

Reputational Risk

Reputational risk arises from the potential that inappropriate associated persons or management actions or inactions may cause clients or potential clients to form a negative opinion of the advisory firm and/or its services.

Strategic Risk

Strategic risk arises from inadequate current and prospective business decisions or responsiveness that might harm the advisory firm’s financial condition or create conflicts among its clients.

Identifying Risks

The SEC has identified 12 specific areas of concern that should be examined:

  • Marketing/Performance
  • Form ADV/Disclosures
  • Invoices/Fees
  • IPO Offerings
  • Soft Dollars
  • Compensation
  • Objectives/Restrictions
  • Trade Ticket
  • Trade Execution
  • Non-Public Information
  • Personal/Proprietary Trading
  • Money/Securities to/from Broker/Custodian

Measuring the Risks

The adviser should measure the risks identified by considering the likelihood, impact and probability of a risk event in the absence of controls.


The possibility that a given event will occur.


The effect the event will have on clients or potential clients, disclosures, finances, reputation and regulatory obligations should it occur.


The anticipated frequency of a risk event given the regularity of the activity or process that is associated with the risk.

Prioritizing the Risks

Once the advisory firm has measured the inherent risks (e.g., the likelihood and impact in the absence of controls), the firm should prioritize the risks by addressing the areas that have the greatest exposure.

Managing the Risks

The advisory firm should develop a risk management matrix that maps the firm’s inventory of risks to specific compliance policies and procedures. The firm should periodically, but no less than annually, update the risk management matrix.